Maksim Kabakou - Fotolia
Cyber insurance, and the companies that provide it, demands that risks must be managed. The decision to take it out requires companies to develop a clear understanding of what their vulnerabilities are, the risks they face and the provisions they have in place to manage them all.
Companies must take a clear view of this or risk paying premiums for coverage they find they are not entitled to have.
Cyber insurance is therefore not a silver bullet, but another risk treatment option that CISOs and organisations can use. Cyber insurance may not cover all eventualities, nor may it be suitable for every organisation. So, when considering cyber insurance, there are some key factors.
First, is cyber insurance something the organisation needs or wants? What are the business benefits to the organisation, and do they outweigh the costs? This may not be a judgement that the information security function or CISO can make alone. Indeed, it may be a business-led decision.
Second, why is cyber insurance being used or considered a risk treatment option? Most policies cover major incidents or events, not daily interruptions or business-as-usual issues. If the policy will only pay out after an incident has majorly interrupted the operations of a business, or an incident that has caused the business to cease trading, then it may not be the best option to treat the identified risks.
Third, can the organisation actually satisfy the requirements of the cyber insurance policy? Can the organisation list its major assets – both physical and digital – their location, the protection in place, threat landscape, risk management approach and results, incident management plans, and any incidents it has dealt with previously? Can the organisation declare to the insurer that its network, applications and IT are free from any malware, attack vectors, known vulnerabilities, or other problems at the start and throughout the duration of the policy?
Remember that if an incident happens, and unresolved issues are found dating from before the policy start date, then the insurer may declare the policy null and void when it is needed the most.
Fourth, what does the policy provide? Apart from the financial payout from a claim, does the insurer offer services, tools and support that the organisation does not have in-house or cannot obtain at the same cost? Are these already provided by other insurance policies currently in place?
Fifth, how will the cyber insurance interact with the organisation’s supply chains? Will the policy cover any losses that may happen because a supplier had an incident?
The sixth and final consideration is the reputation, knowledge and financial health of the insurer. Is the insurer known for reacting and paying out promptly, or does it dispute every claim?
As with any insurance, businesses must put a lot of thought into the policy they wish to take out, without making any oversights. By following the above steps, businesses can remain vigilant in a relatively new and uncertain industry.